[security-alerts] >>: [WEB SECURITY] Analysis, Source-code of the MySpace Quicktime worm

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

 

________________________________

ïÔ: Billy Hoffman [mailto:Billy.Hoffman@xxxxxxxxxxxxxxx]
ïÔÐÒÁ×ÌÅÎÏ: þÔ, 07.12.2006 18:56
ëÏÍÕ: Web Security
ôÅÍÁ: [WEB SECURITY] Analysis, Source-code of the MySpace Quicktime worm



Folks,

 

I wrote up a little analysis of the MySpace Quicktime worm, and also have a 
copy of the source code which I cleaned up and heavily commented.

 

Brief: 
http://www.spidynamics.com/spilabs/education/articles/MySpace-QuickTime%20Worm.html

Source Code: 
http://www.spidynamics.com/spilabs/education/articles/MySpace-Quicktime-Worm.zip

 

To really appreciate this worm, compare it to the source of Samy 
(http://namb.la/popular/tech.html) or Yamanner 
(http://archives.neohapsis.com/archives/incidents/2006-06/0028.html). This worm 
subclasses native JavaScript objects, has good use of functions, no wasted or 
unnecessary globals, pulls source from multiple server, etc. On top of that the 
MySpace vuln to include the menu with Phishing is only two weeks old, while the 
backdoored Quicktime movie vector is a few months old. Just like attackers wait 
for MS patch Tuesday to write malware, it seems people are actively reading web 
security resources and using them to generate worms. It is also interesting 
that more and more worms, from Space Flash to Yamanner, to this, are being used 
to try and generate revenue instead of simply deface.

 

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com <http://www.spidynamics.com/> 

Phone:  678-781-4800

Direct:   678-781-4845